Listen to this Post

Introduction:
In the modern cybersecurity landscape, the sheer volume of telemetry data generated by endpoints, servers, and cloud platforms is overwhelming. However, as Okan YILDIZ, a Global Cybersecurity Leader, astutely points out, “Logs don’t stop attacks. Detections do.” The fundamental challenge facing Security Operations Centers (SOCs) today isn’t a lack of data, but a surplus of noise that obscures genuine threats. This article transforms the theoretical concept of detection engineering into a practical, actionable guide, empowering you to build high-confidence detections that minimize false positives and accelerate incident investigations.
Learning Objectives:
- Understand the core difference between data collection and actionable detection engineering.
- Learn how to craft and implement high-fidelity Splunk searches to identify specific adversary behaviors.
- Explore practical steps for tuning detections to reduce noise and align with the MITRE ATT&CK framework.
You Should Know:
1. Understanding the Detection Engineering Mindset
The foundational shift in modern security operations is moving from passive log storage to proactive threat hunting. A well-designed Splunk deployment is not merely a log repository; it is the engine of a modern detection engineering program. The goal is to turn raw data into meaningful detections that help security teams identify malicious activity before it escalates. This involves a continuous cycle of developing, testing, and refining detections—an approach known as “Detection as Code”.
The most mature SOC teams focus less on building dashboards and more on building high-confidence detections. While dashboards tell you what is happening, detection engineering helps you understand why it’s happening and whether it matters. Every alert should provide analysts with enough context to answer key questions: What happened? Who initiated the activity? Which assets are affected? Is this expected behavior or an anomaly? Which MITRE ATT&CK technique does it align with? By treating detections as critical code, organizations can maintain complete coverage across the evolving security landscape.
2. Building Your First Detection: Suspicious PowerShell Execution
Malicious PowerShell execution is a common vector for attackers, often used for code execution, privilege escalation, and living-off-the-land (LOLBAS) techniques. A robust detection leverages PowerShell’s Script Block Logging (EventCode 4104), which captures the de-obfuscated script block before it executes.
Step-by-step guide:
- Enable Logging: Ensure PowerShell Script Block Logging is enabled on all endpoints via Group Policy. This is a prerequisite for the detection to function.
- Create the SPL Search: In Splunk, navigate to the Search & Reporting app. Use the following search to hunt for suspicious patterns:
index=windows EventCode=4104 | where like(ScriptBlockText, "% -EncodedCommand %") OR like(ScriptBlockText, "% -e %") OR like(ScriptBlockText, "% Invoke-Expression %") OR like(ScriptBlockText, "% IEX %") | table _time, host, user, ScriptBlockText | sort - _time
This search filters for common obfuscation and execution patterns like
-EncodedCommand,-e, andInvoke-Expression. - Tune and Test: Validate the detection in a test environment to understand its alert volume. A detection that generates thousands of alerts is as useless as one that generates none.
- Map to MITRE ATT&CK: Annotate the detection with the relevant MITRE technique, such as T1059.001 (Command and Scripting Interpreter: PowerShell). This helps analysts understand the adversary’s intent.
3. Detecting Credential Dumping via LSASS
Credential dumping, particularly targeting the Local Security Authority Subsystem Service (LSASS), is a critical post-exploitation technique (MITRE ATT&CK T1003) used to extract credentials for lateral movement. Detecting this activity requires monitoring for specific process access patterns.
Step-by-step guide:
- Ensure Sysmon is Deployed: Sysmon (System Monitor) provides the detailed EventCode 10 (ProcessAccess) logs necessary for this detection.
- Create the SPL Search: Use the following search to identify suspicious access to
lsass.exe:index=windows EventCode=10 TargetImage=\lsass.exe | where (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | table _time, host, SourceImage, SourceProcessGUID, TargetImage, GrantedAccess | sort - _time
This search specifically looks for process access with permissions (
0x1010and0x1410) that are indicative of credential dumping tools like Mimikatz or procdump. - Correlate with Other Events: For higher confidence, correlate this with other events like the creation of a dump file (
EventCode 11) or suspicious command-line arguments (e.g.,procdump.exe -ma lsass.exe). - Automate Alerting: In Splunk Enterprise Security (ES), convert this search into a correlation search. Configure it to generate a notable event with a risk score, alerting analysts of a potential credential theft attempt.
4. Hunting for Windows Event Log Tampering
Adversaries often clear or disable Windows event logs to cover their tracks. Detecting this tampering is crucial for maintaining visibility and ensuring the integrity of your forensic data.
Step-by-step guide:
- Monitor Event IDs: Focus on Windows Security Event ID 1102 (The audit log was cleared) and System log Event 104 (The log was cleared).
2. Create the SPL Search:
index=windows (EventCode=1102 OR EventCode=104) | table _time, host, user, EventCode, Message | sort - _time
3. Investigate the Context: When an alert fires, investigate the surrounding logs. Look for the user account that initiated the clear, the time of the event, and any preceding suspicious activity (e.g., failed logins, service creation).
4. Implement Protective Measures: While detection is key, also consider implementing Windows Audit Policies to prevent unauthorized log clearing and ensure logs are securely forwarded to a central SIEM like Splunk, making them inaccessible to a compromised host.
5. Building Context with MITRE ATT&CK Mapping
A detection without context is just an alert. Mapping your detections to the MITRE ATT&CK framework transforms them into actionable intelligence, helping analysts understand adversary tactics, techniques, and procedures (TTPs).
Step-by-step guide:
- Utilize Splunk’s Built-in Framework: Splunk Enterprise Security (ES) and Splunk Security Essentials natively integrate with the MITRE ATT&CK framework.
- Annotate Detections: When creating a detection in Splunk ES, use the `mitre_attack_lookup` to add the relevant technique IDs (e.g., T1003 for Credential Dumping).
- Visualize Coverage: Use Splunk’s Detection Studio or the MITRE ATT&CK app for Splunk to map your active detection library to the framework. This visualizes your technical coverage in real-time, identifying TTP blind spots.
- Quantify Your Posture: Track measurable coverage growth as you deploy new detections. This provides a data-driven approach to improving your defensive posture and communicating progress to stakeholders.
What Undercode Say:
- Logs are the Raw Material, Detections are the Product: The value of a SIEM lies not in the volume of data stored, but in the quality of the detections built on top of it.
- Noise is the Enemy: The primary battle in a modern SOC is reducing false positives. A well-tuned detection that generates few, high-fidelity alerts is far more valuable than a thousand alerts that are never investigated.
- Context is King: Every alert must tell a story. Providing analysts with the who, what, when, and where, along with MITRE ATT&CK mapping, is essential for rapid and effective incident response.
- Treat Detections as Code: Detection engineering is a continuous cycle of development, testing, and refinement. It requires the same rigor as software development to ensure effectiveness and reliability.
- Proactive vs. Reactive Hunting: Detection engineering is the bridge between passive monitoring and proactive threat hunting, enabling teams to continuously hunt for adversary behavior.
Prediction:
- +1: Organizations that adopt “Detection as Code” and invest in high-fidelity detection engineering will experience a significant reduction in Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), directly improving their cyber resilience.
- +1: The integration of AI and machine learning into SIEM platforms like Splunk will further enhance detection engineering by automating the identification of anomalous patterns and reducing the manual effort required to tune alerts.
- -1: SOCs that fail to move beyond basic log aggregation and alerting will remain vulnerable. They will be overwhelmed by alert fatigue, unable to distinguish real threats from noise, and will continue to suffer from prolonged dwell times for advanced persistent threats (APTs).
- -1: The increasing sophistication of adversaries, particularly in their use of LOLBAS techniques and living-off-the-land binaries, will render traditional signature-based detections obsolete, forcing a greater reliance on behavioral analytics and robust detection engineering.
- +1: The growing community around detection engineering, fueled by open-source projects and frameworks, will lead to more standardized and effective detection rules, democratizing advanced threat detection capabilities for organizations of all sizes.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Yildizokan Splunk – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


